CVE-2021-24666 – This CVE describes a SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2021-24666?

CVE-2021-24666 has a CVSS score of 9.8 (CRITICAL). This CVE describes a SQL injection vulnerability in the Podlove Podcast Publisher WordPress plugin's 'Social & Donations' module. Attackers can exploit unauthenticated REST API endpoints to execute arbitrary SQL commands, potentially compromising the entire WordPress database. WordPress sites running vulnerable plugin versions are affected.

📋 TL;DR

This CVE describes a SQL injection vulnerability in the Podlove Podcast Publisher WordPress plugin's 'Social & Donations' module. Attackers can exploit unauthenticated REST API endpoints to execute arbitrary SQL commands, potentially compromising the entire WordPress database. WordPress sites running vulnerable plugin versions are affected.

💻 Affected Systems

Products:

Podlove Podcast Publisher WordPress Plugin

Versions: All versions before 3.5.6

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ✅ No

Notes: The vulnerable 'Social & Donations' module is not activated by default, but the REST endpoint exists regardless of activation status.

📦 What is this software?

Podlove Podcast Publisher by Podlove

View all CVEs affecting Podlove Podcast Publisher →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, remote code execution, and full site takeover.

🟠

Likely Case

Database information disclosure, including user credentials, sensitive content, and plugin data extraction.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and WAF protection blocking SQL injection attempts.

🌐 Internet-Facing: HIGH - The vulnerable REST endpoint is publicly accessible without authentication.

🏢 Internal Only: MEDIUM - Internal systems could still be vulnerable if the plugin is installed, though attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted requests to the REST endpoint with SQL injection payloads in 'id' and 'category' parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.6

Vendor Advisory: https://github.com/podlove/podlove-publisher/commit/aa8a343a2e2333b34a422f801adee09b020c6d76

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Podlove Podcast Publisher. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.5.6+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable REST Endpoint via .htaccess

linux

Block access to the vulnerable REST endpoint using Apache mod_rewrite rules.

RewriteEngine On
RewriteRule ^wp-json/podlove/v1/services/contributor/ - [F,L]

Deactivate Plugin

all

Temporarily disable the Podlove Podcast Publisher plugin until patched.

wp plugin deactivate podlove-podcast-publisher

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block SQL injection patterns targeting the /services/contributor/ endpoint.
Disable the 'Social & Donations' module if activated and restrict REST API access to authenticated users only.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Podlove Podcast Publisher → Version. If below 3.5.6, vulnerable.

Check Version:

wp plugin list --name=podlove-podcast-publisher --field=version

Verify Fix Applied:

Confirm plugin version is 3.5.6 or higher and test the REST endpoint with SQL injection payloads (in a safe environment).

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /wp-json/podlove/v1/services/contributor/ with SQL keywords (UNION, SELECT, etc.) in parameters
Database error logs showing SQL syntax errors from WordPress

Network Indicators:

Unusual POST/GET requests to podcast publisher REST endpoints with encoded payloads
Traffic spikes to /wp-json/podlove/v1/ paths

SIEM Query:

source="web_logs" AND uri_path="/wp-json/podlove/v1/services/contributor/*" AND (query_string="*UNION*" OR query_string="*SELECT*" OR query_string="*OR 1=1*")

📊 Metadata

CVE ID: CVE-2021-24666

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: September 27, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/podlove/podlove-publisher/commit/aa8a343a2e2333b34a422f801adee09b020c6d76 Patch,Third Party Advisory
https://wpscan.com/vulnerability/fb4d7988-60ff-4862-96a1-80b1866336fe Exploit,Patch,Third Party Advisory
https://github.com/podlove/podlove-publisher/commit/aa8a343a2e2333b34a422f801adee09b020c6d76 Patch,Third Party Advisory
https://wpscan.com/vulnerability/fb4d7988-60ff-4862-96a1-80b1866336fe Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24666, you might also want to check these: